Dozens of U.S. enterprises are still using Apple mobile apps seeded with malware for a clever hacking scheme revealed last month known as XcodeGhost.The computer security firm FireEye said Tuesday it has detected that 210 enterprises that are still using infected apps, showing that the XcodeGhost malware "is a persistent security risk," according to a blog post.Last month, more than 4,000 applications were found to have been modified with a counterfeit version of Xcode, which is an application development tool from Apple.To read this article in full or to leave a comment, please click here
Google's security researchers hunted for bugs in Samsung's Galaxy S6 Edge phone as part of an experiment to see how vulnerable the code that manufacturers add to Android can be. It's pretty bad.The researchers found 11 vulnerabilities in Samsung's code that could be exploited to create files with system privileges, steal the user's emails, execute code in the kernel and escalate the privilege of unprivileged applications."Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down," the security researchers said in a blog post. "The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review."To read this article in full or to leave a comment, please click here
If you want to make free, worldwide encrypted calls, then you should consider using Signal; it supports encrypted texting too.While iPhone users have had the option to use Signal since last year, yesterday Open Whisper Systems founder Moxie Marlinspike announced that TextSecure and RedPhone have been rolled into one Signal for Android app. Open Whisper Systems
Signal is so super easy to use, even your granny can make private calls and send private texts. Cryptography researcher Matt Blaze previously tweeted about overhearing an elderly gentleman explaining how to install Signal; Blaze called it a “turning point.”To read this article in full or to leave a comment, please click here
To the rescueImage by Flickr: Beverley Goodwin According to a Gartner report, the Disaster Recovery as a Service market originally emerged to address IT organizations' need to support increasingly aggressive recovery-time targets and more frequent and lower-cost testing while understaffed, or without requiring a significant time commitment by existing IT staff.To read this article in full or to leave a comment, please click here
Companies are wary about what employees are doing on their smartphones. Be it data loss or time-wasting, a growing number of employers are actively stopping staff from using certain apps on company-controlled devices.After surveying the roughly 6,000 companies that uses its mobile security management software, MobileIron determined the top 10 consumer apps that are most often blocked or blacklisted at companies:
Dropbox
Angry Birds
Facebook
Microsoft OneDrive
Google Drive
Box
Whatsapp
Twitter
Skype
SugarSync
It's perhaps no surprise that half of the positions in the top 10 are for file-sharing apps. Corporate IT managers are wary about giving users the ability to download and share internal files on apps that aren't under corporate control.To read this article in full or to leave a comment, please click here
PageFair, an Irish ad analytics company, said Monday a small percentage of users were at risk after attackers compromised its systems over the weekend.CEO Sean Blanchfield wrote that 501 publishers that use the company's javascript tag were affected.Ninety percent of publishers have less than ten million page views per month, and 60 percent have less than one million page views per month, he wrote.PageFair has calculated that about 2.3 percent of the visitors to those sites would have been at risk of being infected.The attackers gained access to a key email account at PageFair and then reset the password for a PageFair account at a content distribution network (CDN).To read this article in full or to leave a comment, please click here
A team of security researchers may have found a way to remotely penetrate the defenses of Apple's latest mobile OS, making them eligible for a $1 million reward.
The money was offered in a contest run by a Washington, D.C.-based company called Zerodium, which is in the controversial business of buying and selling information about software vulnerabilities.
It congratulated the winning team on Twitter Monday, though it didn't identify the researchers, which made its claim about finding a new security hole in iOS 9 impossible to verify.To read this article in full or to leave a comment, please click here
New security patches for Google's Nexus devices address seven vulnerabilities, two of which are critical and could allow for remote code execution when handling media files.The updates, released on Monday, are part of Google's recently introduced monthly patch cycle and are available for Nexus devices running both Android 5.1 (Lollipop) and 6.0 (Marshmallow). The source code for the fixes will also be added to the Android Open Source Project (AOSP) over the next 48 hours.The most serious flaws patched in this release are tracked as CVE-2015-6608 and CVE-2015-6609, and are located in the mediaserver and libutils components of Android, respectively. Both vulnerabilities can be exploited remotely through specially crafted media files.To read this article in full or to leave a comment, please click here
Despite Apple having championed privacy and encryption, and having its most profitable year yet, the company is apparently not above censoring free speech on its Apple TV platform. The Chaos Computer Club claimed that Apple rejected the CCC’s TV app that would allow viewers to stream the hacking conference because researchers have previously presented talks centered on hacking iOS.To read this article in full or to leave a comment, please click here
Despite Apple having championed privacy and encryption, and having its most profitable year yet, the company is apparently not above censoring free speech on its Apple TV platform. The Chaos Computer Club claimed that Apple rejected the CCC's TV app that would allow viewers to stream the hacking conference because researchers have previously presented talks centered on hacking iOS.To read this article in full or to leave a comment, please click here
It’s a space mission of firsts. First -- a flock of eight, 4lb tissue box-sized satellites will be launched into space in a proof-of-concept mission that will show how multiple, yet affordable nanosatellites can handle astrophysics duties or perform planetary science investigations, such as placing a network of satellites around an asteroid, Earth’s moon, or another planet.+More on Network World: Gartner: Risk, relentless data center demand, open source and other tech trends IT needs to know+To read this article in full or to leave a comment, please click here
Part of a great marketing strategy includes building trust with consumers, especially with influential groups like millennials. You might also call them Generation Y or digital natives, but whatever you call them, it applies anyone born between 1980 and the early 2000s. This group is usually top of the list for companies’ brand awareness efforts, but the biggest threat to your marketing strategy lies more in your approach to cybersecurity than how much money you spend on advertising.Intercede, a company specializing in identity management and secure authentication technology, surveyed roughly 1,000 U.S .and 1,000 U.K. participants aged 16 to 35 about levels of digital trust. And the study found that millennials have suspicious attitudes and a general mistrust towards businesses. In a time where celebrities’ iCloud accounts are hacked and every few months there is another data breach, it makes sense for young people to have a general sense of uncertainty towards where their data goes and how it’s used.To read this article in full or to leave a comment, please click here
Breach HappensImage by NOAAHave you been affected by a breach? Gotten the notice in the mail that your payment card or other information may have been compromised?More hands are raised each time I ask my audiences that question.To read this article in full or to leave a comment, please click here
A software development kit created by Chinese Internet services company Baidu and used by thousands of Android applications contains a feature that gives attackers backdoor-like access to users' devices.The SDK is called Moplus and while it's not open to the public, it was integrated in more than 14,000 apps, of which only around 4,000 were created by Baidu, security researchers from Trend Micro said in a blog post Sunday.The company estimates that the affected apps are used by over 100 million users.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.FullContactPricing: FullContact is free to download and use. FullContact Premium is available by subscription — two subscription options: FullContact Premium monthly for $9.99; FullContact Premium annually for $99.99To read this article in full or to leave a comment, please click here
It’s only a game, but LightCyber hopes its Cyber Attack Training System (CATS) helps IT folks think like attackers in order to better defend their networks.The online game sets players up with stolen login credentials for a networked machine and turns them loose with Metasploit tools. The idea is for security pros to discover and compromise other devices on the network with the goal of capturing a specific file.Public access to CATS is available for 12 hours only on Nov. 10 and is open to anyone who can provide a legitimate corporate email address. The first 100 players who successfully find the target file win a black hoodie.The game will give network security pros who spend their days searching logs for indicators of compromise the chance to better understand the mindset of attackers so they are better prepared to search for their footprints.To read this article in full or to leave a comment, please click here
It's not just the lowlifes and thieves making money from stolen data; you might be able to make a few bucks selling your own personal data, too.Now, I'm not suggesting you place an ad for your Personally Identifiable Information (PII) on Craigslist, but there are actually outlets that will let you, or plan to let you, sell some of your data. It's used for marketing.Personal data marketplace
One such company is the U.S.-based Datacoup, which says it lets you connect your apps and services via APIs in order to sell data. Datacoup pitches itself as the world's first personal data marketplace.To read this article in full or to leave a comment, please click here
With the Cybersecurity Information Sharing Act (CISA) the feds are trying to make it more attractive to share threat intelligence, but it won’t do much to help businesses deal with the high cost of sorting through what can be an overwhelming flow of possible security incidents and find which ones need to be checked out.And deciding what data to share, what threat intelligence feeds to subscribe to and what tools are needed to turn potentially valuable information into action takes sizeable resources, experts say.To read this article in full or to leave a comment, please click here
A glitch with Apple's QuickTime multimedia program has left some Windows users wondering why they're having trouble updating to the latest version.QuickTime has an auto-update mechanism, but it appears to not work on Windows 8 and 10, wrote Alton Blom, a Sydney-based security researcher, in a blog post.Blom wrote that he found inconsistencies in how QuickTime and Apple's Software Update tool interacted with each other depending on the versions of Windows and QuickTime installed.For example, on Windows 8, QuickTime reported that it was up to date, but Apple's Software Update tool said the application needed to be upgraded to 7.7.8, which is the latest version, Blom wrote.To read this article in full or to leave a comment, please click here
UK police arrested a third suspect on Saturday relating to the breach at communications provider TalkTalk, which said the amount of data exposed is less than initially thought.A 20-year-old man was arrested after police executed a search warrant at an address in south Staffordshire, the Metropolitan Police said Sunday.The man, who was not identified, was arrested on suspicion of violations of the Computer Misuse Act and was later bailed. UK police arrested a 15-year-old boy in County Antrim, Northern Ireland, on Oct. 26, and a 16-year-old boy in Feltham, England, on Thursday. Both boys have been bailed.To read this article in full or to leave a comment, please click here